Privacy, data and different jurisdictions: Examining requirements in non-EU countries

In an increasingly globalized economy, the practice of law has expanded across borders as companies’ employees, actions and influence continue to spread across multiple jurisdictions. The varying privacy laws in place in different countries, industries and even states have far-reaching implications for law practitioners within the electronic discovery sphere. The growth in big data and cloud storage has only compounded these challenges for e-discovery professionals.

In the first of three articles, we explored the privacy challenges that exist across jurisdictions within the United States for collecting, reviewing and processing data that may be potentially relevant to a lawsuit or investigation. Here, we will explore data privacy regulations in non-European Union countries. In the next article, we will look at cultural and legal differences that impact data privacy and discovery between the United States and the EU.

Challenges in non-EU jurisdictions

Although conducting discovery in different domestic jurisdictions can have complications for legal departments, the difficulties of collecting and processing data from outside the United States provide another type of headache. In these situations, counsel may be subject to privacy legislation originating from multiple government institutions, all of which have unique legal, cultural and economic perspectives.

Consider several real-world scenarios:

In one situation, a Canadian company was engaged in business with a Cuban entity and therefore held Cuban data at its facility. Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and further reinforced by blocking statutes such as the Business Records Protection Act (BRPA), this data belongs to the citizens of Canada and is free from scrutiny by U.S. entities. Therefore the Cuban data could not be brought into the United States for review by U.S. attorneys and U.S. authorities. As a result, all of the data collected had to be processed on-site to ensure that only viable data entered the United States.

Discovery has also become more challenging when dealing with Chinese entities because the Chinese government has begun to devote more attention to the protection of its citizens’ privacy. It used to be the case that data privacy was nonexistent in the People’s Republic of China, but with the growth of capitalism, the Chinese government has developed an increasing interest in data privacy. The latest result of this trend came in 2013 when the Chinese government instituted the “Information Technology Security — Guideline for Personal Information Protection Within Information Systems for Public and Commercial Services.” This guideline is fairly overarching, and almost all of the data sources that would be collected in a typical U.S. discovery fall under it.

Unlike the above two scenarios, some parts of the world have little or no data privacy restrictions and can be much easier to collect data from during discovery. When collecting data from Mexico City, counsel assessed that there were no privacy restrictions to prevent the complete collection of data prior to its return for processing in the United States. The same attitude also applied for a matter where data resided in Luanda, Angola. Thus in these instances, complete data sets could be preserved and collected — either remotely or on-site — and then transported back to a U.S. facility prior to any culling. Despite the lack of privacy restrictions in these locations, there were still obstacles to overcome, such as physical security concerns, language translation and poor Internet service. As such, it was important to be able to lean on local resources to navigate these types of obstructions.

What in-house counsel need to consider

While many attorneys in U.S. legal departments know that EU countries carefully restrict access to personal information during lawsuits, they may not be as familiar with the strict laws in other countries. In order to make sure they stay in compliance with the laws in all the international jurisdictions that may contain their company’s data, in-house attorneys need to do their homework. Along with the national laws of foreign countries, the legal team must also understand how any local, territorial, state or provincial laws could impact data privacy considerations.

The type of information involved may also be tremendously significant. Different jurisdictions place varying degrees of importance on particular types of personal data. In-house attorneys should try to find out as much as possible about any potentially responsive information that could be part of a litigation with overseas implications. This type of knowledge can give the legal team a strategic advantage and allow it to implement a swift and cost-effective preservation and collection plan. Furthermore, once a company is aware of the privacy legislation that governs the data in its international locations and what action will be needed to collect that data, it may then be in a position to go back to the court and negotiate the scope of discovery given its full knowledge of exactly what data will be the most burdensome to collect.

Legal teams should also carefully consider where, how and whether to transfer any data that may be subject to foreign laws and regulations. In some situations, it may make sense to conduct discovery from preservation all the way through review in the country where the lawsuit has been filed in order to remain in compliance with local privacy legislation.

Along with legal issues, cultural expectations in foreign jurisdictions can also vary significantly from what many attorneys are used to. For example, there may be physical security concerns at the location where data needs to be collected which might require the employment of an armed guard if the work will be on-site. If the intention is to conduct a remote collection, it is important to check that there is reliable Internet access in order for this to be viable. Understanding and alleviating these issues can minimize many problems throughout the discovery process. If companies do not possess this type of knowledge in-house, they should find partners and vendors who can offer insights.